[Date Prev][Date Next]
Re: How to only accept TLS connection on port 389
At 09:51 PM 1/21/2007, S Kalyanasundaram wrote:
>> While ldap:// uses 389 by default and ldaps:// uses 636 by default,
>> one can actually use ldap:// or ldaps:// on any port.
>So the port is independent of the connection type?
Yes, ldap://server:636 and ldaps://server:389 are syntactically
valid URLs. Of course, they are only valid in use if the server
was actually and quite oddly configured to accept ldap:// on 636
and ldaps:// on 389.
>The clear text authentication and as well as secured connection can be made on both the ports (389,636) ?
Given the above, and oddly configured clients (and possibly servers),
asking about what ports support is confusing.
The point I was trying to make is that configuring a
client to use port 636 doesn't necessarily cause it to
use ldaps:// instead.
>Then what for the port is being used?
Ports, and host addresses, are used to distingusih endpoints in a
TCP steam. That is, server:389 and server:636 are different
endpoints. Neither server:389 nor server:636 indicate which
protocol (or protocol variant) is to be used (or is used).
>I assumed 389 is clear text and 636 is encrypted(ssl/tls) one.
389 is the default port for ldap://.
636 is the default port for ldaps://.
However, assuming all communication is on default ports
is, well, a bad assumption. This thread started with
what appears to be a client using ldap:// on 636, like:
if the following had been done:
ldapsearch -H ldap://server:636